Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware, QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module and QLogic Virtual Fabric Extension Module

Vulnerability Details

Summary

The switch firmware deliverables listed below have addressed the applicable NTP CVEs.

Vulnerability Details

CVE-ID: CVE-2015-7855

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by ASSERT botch instead of returning FAIL on some invalid values by the decodenetnum() function. An attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 5.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107448 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2015-7871

Description: Network Time Protocol (NTP) could allow a remote attacker to bypass restrictions, caused by a logic error when handling specific crypto-NAK packets. By sending an NTP symmetric active crypto-NAK packet, an attacker could exploit this vulnerability to bypass the symmetric association authentication process and make arbitrary changes to system time.

CVSS Base Score: 7.2
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107436 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)

CVE-ID: CVE-2015-7692

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in ntp_crypto.c. An attacker could exploit this vulnerability using a packet containing an extension field with an invalid value for the length of its value field to cause ntpd to crash.

CVSS Base Score: 5.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107450 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2015-7691

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in ntp_crypto.c. An attacker could exploit this vulnerability using a packet containing an extension field with an invalid value for the length of its value field to cause ntpd to crash.

CVSS Base Score: 5.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107449 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2015-7701

Description: Network Time Protocol (NTP) could allow a remote attacker to obtain sensitive information, caused by a memory leak in CRYPTO_ASSOC. An attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107444 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2015-7851

Description: Network Time Protocol (NTP) could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the save_config function containing directory traversal sequences to view arbitrary files on the system.

CVSS Base Score: 5.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107440 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2015-7852

Description: Network Time Protocol (NTP) is vulnerable to a buffer overflow, caused by improper bounds checking by thecookedprint functionality. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVSS Base Score: 7.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107439 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVE-ID: CVE-2015-7853

Description: Network Time Protocol (NTP) is vulnerable to a buffer overflow, caused by improper bounds checking by the refclock of ntpd. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVSS Base Score: 7.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107438 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVE-ID: CVE-2015-7854

Description: Network Time Protocol (NTP) is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the password management functionality. By using a specially crafted key file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVSS Base Score: 7.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107437 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVE-ID: CVE-2015-7702

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in ntp_crypto.c. An attacker could exploit this vulnerability using a packet containing an extension field with an invalid value for the length of its value field to cause ntpd to crash.

CVSS Base Score: 5.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107451 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2015-7703

Description: Network Time Protocol (NTP) could allow a remote attacker to traverse directories on the system, caused by the failure to enforce local access only of the "pidfile" and "driftfile" configuration directives. An attacker could exploit this vulnerability to view arbitrary files on the system.

CVSS Base Score: 5.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107445 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2015-7704

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in the rate-limiting mechanism. By sending spoofed Kiss-o'-Death packets, an attacker could exploit this vulnerability to disable NTP at a victim client.

CVSS Base Score: 7.5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107446 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-ID: CVE-2015-7705

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in the rate-limiting mechanism. By "priming the pump" and sending a valid Kiss-o'-Death packet, an attacker could exploit this vulnerability to disable NTP at a victim client and prevent the client from updating its local clock.

CVSS Base Score: 7.5
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107447 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-ID: CVE-2015-7848

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an multiple integer overflows when processing malicious packets. By sending a specially crafted private mode packet, an attacker could exploit this vulnerability to cause the application to crash.

CVSS Base Score: 5.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107443 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2015-7849

Description: Network Time Protocol (NTP) is vulnerable to a buffer overflow, caused by a use-after-free in the password management functionality. By sending a specially crafted key file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVSS Base Score: 7.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/107442 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected products and versions

Remediation/Fixes

Firmware fix versions are available on Fix Central: http://www.ibm.com/support/fixcentral/

You should verify applying the fix does not cause any compatibility issues.

Workarounds and Mitigations

None.

References

• Complete CVSS V3 Guide
• On-line Calculator V3

Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History
17 March 2016: Original Version Published

* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.